Chapter 12 Auditing Theory

Multiple-Choice Questions

1. IT has several significant effects on an organization. Which of the following would not be
easy important from an auditing perspective?
d a. Organizational changes.
b. The visibility of information.
c. The potential for material misstatement.
d. None of the above; i.e., they are all important.

2. The audit procedure which is least useful in gathering evidence on significant computer
easy processes is:
b a. documentation.
b. observation.
c. test decks.
d. generalized audit software.

3. Which of the following is not a benefit of using IT-based controls?

easy a. Ability to process large volumes of transactions.
d b. Ability to replace manual controls with computer-based controls.
c. Reduction in misstatements due to consistent processing of transactions.
d. Over-reliance on computer-generated reports.

4. One significant risk related to an automated environment is that auditors may ____ information
easy provided by an information system.
b a. not place enough reliance on
b. place too much reliance on
c. reveal
d. not understand

5. Which of the following is not a risk specific to IT environments?

easy a. Reliance on the functioning capabilities of hardware and software.
b b. Increased human involvement.
c. Loss of data due to insufficient backup.
d. Reduced segregation of duties.

6. Which of the following is not an enhancement to internal control that will occur as a
easy consequence of increased reliance on IT?
d a. Computer controls replace manual controls.
b. Higher quality information is available.
c. Computer-based controls provide opportunities to enhance separation of duties.
d. Manual controls replace automated controls.

7. Which of the following is not a risk to IT systems?

easy a. Need for IT experienced staff
c b. Separation of IT duties from accounting functions
c. Improved audit trail
d. Hardware and data vulnerability

8. Which of the following is not a category of an application control?

easy a. Processing controls.
c b. Output controls.
c. Hardware controls.
d. Input controls.

9. Old and new systems operating simultaneously in all locations is a test approach known as:
easy a. pilot testing.
d b. horizontal testing.
c. integrative testing.
 d. parallel testing.

10. When the client uses a computer but the auditor chooses to use only the non-IT segment of
easy internal control to assess control risk, it is referred to as auditing around the computer. Which
a one of the following conditions need not be present to audit around the computer?
a. Computer programs must be available in English.
b. The source documents must be available in a non-machine language.
c. The documents must be filed in a manner that makes it possible to locate them.
d. The output must be listed in sufficient detail to enable the auditor to trace individual
transactions.

11. Which of the following is a category of general controls?

easy a. Processing controls.
c b. Output controls.
c. Physical and online security.
d. Input controls.

12. Which of the following statements related to application controls is correct?

easy a. Application controls relate to various aspects of the IT function including software
d acquisition and the processing of transactions.
b. Application controls relate to various aspects of the IT function including physical security
and the processing of transactions in various cycles.
c. Application controls relate to all aspects of the IT function.
d. Application controls relate to the processing of individual transactions.

13. General controls include all of the following except:

easy a. systems development.
c b. online security.
c. processing controls.
d. hardware controls.

14. Predesigned formats, such as those used for audit documentation, can be created and saved
easy using electronic spreadsheets and word processors. These are called:
b a. desktop publishing.
b. templates.
c. macros.
d. work files.

15. ______ involves implementing a new system in one part of the organization, while other
easy locations continue to use the current system.
c a. Parallel testing
b. Online testing
c. Pilot testing
d. Control testing

16. To determine that user ID and password controls are functioning, an auditor would most likely:
easy a. attempt to sign on to the system using invalid user identifications and passwords.
a b. write a computer program that simulates the logic of the client’s access control software.
c. extract a random sample of processed transactions and ensure that the transactions were
appropriately authorized.
d. examine statements signed by employees stating that they have not divulged their user
identifications and passwords to any other person.

17. When IT programs or files can be accessed from terminals, users should be required to enter
easy a(n):
d a. echo check.
b. parity check.
c. self-diagnosis test.
d. authorized password.

18. An auditor’s flowchart of a client’s system is a graphical representation that depicts the
auditor’s:
easy a. program for tests of controls.
b b. understanding of the system.
c. understanding of the types of errors that are probable given the present system.
d. documentation of the study and evaluation of the system.

19. Which of the following is not a characteristic of an online processing system?

medium a. Output of the data files is available on request.
d b. Master files are updated at the time the entry is made.
c. Display terminals are used for both input and output purposes.
d. Programming is not allowed online and must be done separately.

20. Typical controls developed for manual systems which are still important in IT systems include:
medium a. proper authorization of transactions.
d b. competent and honest personnel.
c. careful and complete preparation of source documents.
d. all of the above.

21. ______ controls prevent and detect errors while transaction data are processed.
medium a. Software
c b. Application
c. Processing
d. Transaction

22. A database management system:

medium a. physically stores each element of data only once.
a b. stores data on different files for different purposes, but always knows where they are and
how to retrieve them.
c. allows quick retrieval of data but at a cost of inefficient use of file space.
d. allows quick retrieval of data, but it needs to update files continually.

23. Which of the following is not associated with converting from a manual to an IT system?
medium a. It usually centralizes data.
d b. It permits higher quality and more consistent controls over operations.
c. It may eliminate the control provided by division of duties of independent persons who
perform related functions and compare results.
d. It may take the recordkeeping function and the document preparation function away from
those who have custody of assets and put those functions into the IT center.

24. Which of the following statements about general controls is not correct?
medium a. Disaster recovery plans should identify alternative hardware to process company data.
d b. Successful IT development efforts require the involvement of IT and non-IT personnel.
c. The chief information officer should report to senior management and the board.
d. Programmers should have access to computer operations to aid users in resolving
problems.

25. Which of the following statements is correct?

medium a. Auditors should evaluate application controls before evaluating general controls.
c b. Auditors should evaluate application controls and general controls simultaneously.
c. Auditors should evaluate general controls before evaluating application controls.
d. None of these statements is correct.

26. An important characteristic of IT is uniformity of processing. Therefore, a risk exists that:

medium a. auditors will not be able to access data quickly.
c b. auditors will not be able to determine if data is processed consistently.
c. erroneous processing can result in the accumulation of a great number of misstatements in
a short period of time.
d. all of the above.

27. Auditors should evaluate the ________ before evaluating application controls because of the
medium potential for pervasive effects.
d a. input controls
b. control environment
 c. processing controls
d. general controls
28. A control that relates to all parts of the IT system is called a(n):
medium a. general control.
a b. systems control.
c. universal control.
d. applications control.

29. Controls which apply to a specific element of the system are called:
medium a. user controls.
d b. general controls.
c. systems controls.
d. applications controls.

30. Which of the following is not an example of an applications control?

medium a. An equipment failure causes system downtime.
a b. There is a preprocessing authorization of the sales transactions.
c. There are reasonableness tests for the unit selling price of a sale.
d. After processing, all sales transactions are reviewed by the sales department.

31. Which of the following is least likely to be used in obtaining an understanding of client general
medium controls?
c a. Examination of system documentation
b. Inquiry of client personnel (e.g., key users)
c. Observation of transaction processing
d. Reviews of questionnaires completed by client IT personnel

32. Which of the following is not a general control?

medium a. Reasonableness test for unit selling price of a sale.
a b. Equipment failure causes error messages on monitor.
c. Separation of duties between programmer and operators.
d. Adequate program run instructions for operating the computer.

33. Controls which are built in by the manufacturer to detect equipment failure are called:
medium a. input controls.
c b. fail-safe controls.
c. hardware controls.
d. manufacturer’s controls.

34. Auditors usually evaluate the effectiveness of:

medium a. hardware controls before general controls.
c b. sales-cycle controls before application controls.
c. general controls before applications controls.
d. applications controls before the control environment.

35. Controls which are designed to assure that the information processed by the computer is
medium authorized, complete, and accurate are called:
a a. input controls.
b. processing controls.
c. output controls.
d. general controls.

36. Programmers should be allowed access to:

medium a. user controls.
d b. general controls.
c. systems controls.
d. applications controls.

37. Programmers should do all but which of the following?

medium a. Test programs for proper performance.
b b. Evaluate legitimacy of transaction data input.
c. Develop flowcharts for new applications.
 d. Programmers should perform each of the above.

38. ______ tests determines that every field in a record has been completed.
medium a. Validation
c b. Sequence
c. Completeness
d. Programming

39. In an IT-intensive environment, most processing controls are:

medium a. input controls.
c b. operator controls.
c. programmed controls.
d. documentation controls.

40. Which of the following is not a processing control?

medium a. Control totals.
c b. Logic tests.
c. Check digits.
d. Computations tests.

41. Output controls are not designed to assure that data generated by the computer are:
medium a. accurate.
d b. distributed only to authorized people.
c. complete.
d. used appropriately by employees in making decisions.

42. Auditors usually obtain information about general and application controls through:
medium a. interviews with IT personnel.
d b. examination of systems documentation.
c. reading program change requests.
d. all of the above methods.

43. When auditors consider only non-IT controls in assessing control risk, it is known as:
medium a. the single-stage audit.
c b. the test deck approach.
c. auditing around the computer.
d. generalized audit software (GAS).

44. The auditor’s objective to determine whether the client’s computer programs can correctly
medium handle valid and invalid transactions as they arise is accomplished through the:
a a. test data approach.
b. generalized audit software approach.
c. microcomputer-aided auditing approach.
d. generally accepted auditing standards.

45. The audit approach in which the auditor runs his or her own program on a controlled basis to
medium verify the client’s data recorded in a machine language is:
c a. the test data approach.
b. called auditing around the computer.
c. the generalized audit software approach.
d. the microcomputer-aided auditing approach.

46. Which of the following is not one of the three categories of testing strategies when auditing
medium through the computer?
a a. Pilot simulation.
b. Test data approach.
c. Parallel simulation.
d. Embedded audit module.

47. Companies with non-complex IT environments often rely on microcomputers to perform

medium accounting system functions. Which of the following is not an audit consideration in such an
d environment?
 a. Limited reliance on automated controls.
b. Unauthorized access to master files.
c. Vulnerability to viruses and other risks.
d. Excess reliance on automated controls.

48. Internal control is ineffective when computer personnel:

medium a. participate in computer software acquisition decisions.
c b. design flowcharts and narratives for computerized systems.
c. originate changes in customer master files.
d. provide physical security over program files.

49. When using the test data approach:

medium a. test data should include only exception conditions.
d b. application programs tested must be virtually identical to those used by employees.
c. select data may remain in the client system after testing.
d. none of the above statements is correct.

50. Because general controls have a _____ effect on the operating effectiveness of application
medium controls, auditors must consider general controls.
b a. nominal
b. pervasive
c. mitigating
d. worsening

51. Errors in data processed in a batch computer system may not be detected immediately because:
medium a. transaction trails in a batch system are available only for a limited period of time.
b b. there are time delays in processing transactions in a batch system.
c. errors in some transactions cause rejection of other transactions in the batch.
d. random errors are more likely in a batch system than in an online system.

52. ______ link equipment in large geographic regions.

medium a. Cosmopolitan area networks (CANs)
c b. Local area networks (LANs)
c. Wide area networks (WANs)
d. Virtual area networks (VANs)

53. Which of the following computer-assisted auditing techniques allows fictitious and real
medium transactions to be processed together without client operating personnel being aware of the
c testing process?
a. Parallel simulation.
b. Generalized audit software programming.
c. Integrated test facility.
d. Test data approach.

54. Firewalls are used to protect:

medium a. erroneous internal handling of data.
d b. against insufficient documentation of transactions.
c. illogical programming commands.
d. unauthorized use of system resources.

55. In an IT system, automated equipment controls or hardware controls are designed to:
medium a. correct errors in the computer programs.
c b. monitor and detect errors in source documents.
c. detect and control errors arising from the use of equipment.
d. arrange data in a logical sequential manner for processing purposes.

56. If a control total were to be computed on each of the following data items, which would best be
medium identified as a hash total for a payroll IT application?
b a. Gross wages earned.
b. Employee numbers.
c. Total hours worked.
 d. Total debit amounts and total credit amounts.

57. What tools do companies use to limit access to sensitive company data?
medium
a Encryption techniques Digital signatures Firewall
a. Yes Yes Yes
b. Yes No No
c. No Yes Yes
d. Yes Yes No

58. Rather than maintain an internal IT center, many companies use ________ to perform many
medium basic functions such as payroll.
b a. external general service providers
b. external application service providers
c. internal control service providers
d. internal auditors

59. A company uses the account code 669 for maintenance expense. However, one of the company
medium clerks often codes maintenance expense as 996. The highest account code in the system is 750.
d What internal control in the company’s computer program would detect this error?
a. Pre-data input check.
b. Valid-character test.
c. Sequence check.
d. Valid-code test.

60. Which of the following is not an application control?

challenging a. Preprocessing authorization of sales transactions.
d b. Reasonableness test for unit selling price of sale.
c. Post-processing review of sales transactions by the sales department.
d. Separation of duties between computer programmer and operators.

61. It is common in IT systems to have certain types of transactions initiated automatically by the
challenging computer. Which of the following activities would not be an appropriate candidate for
d automatic computer initialization?
a. In a bank, periodic calculation of interest on customer accounts.
b. In a manufacturing facility ordering inventory at preset order levels.
c. In a hospital, the ordering of oxygen when pre-specified levels are achieved.
d. In an investment brokerage firm, the sale of pharmaceutical stocks when the Dow-Jones
Industrial Average falls below a certain level.

62. Application controls vary across the IT system. To gain an understanding of internal control for
challenging a private company, the auditor must evaluate the application controls for every:
d a. every audit area.
b. every material audit area.
c. every audit area in which the client uses the computer.
d. every audit area where the auditor plans to reduce assessed control risk.

63. Many clients have outsourced the IT functions. The difficulty the independent auditor faces
challenging when a computer service center is used is to:
c a. gain the permission of the service center to review their work.
b. find compatible programs that will analyze the service center’s programs.
c. determine the adequacy of the service center’s internal controls.
d. try to abide by the Code of Professional Conduct to maintain the security and
confidentiality of client’s data.

64. An auditor who is testing IT controls in a payroll system would most likely use test data that
challenging contain conditions such as:
a a. time tickets with invalid job numbers.
b. overtime not approved by supervisors.
c. deductions not authorized by employees.
d. payroll checks with unauthorized signatures.
65. Which of the following is not a general control?
challenging a. The plan of organization and operation of IT activity.
c b. Procedures for documenting, reviewing, and approving systems and programs.
c. Processing controls.
d. Hardware controls.

66. In comparing (1) the adequacy of the hardware controls in the system with (2) the
challenging organization’s methods of handling the errors that the computer identifies, the independent
auditor is:
c a. unconcerned with both (1) and (2).
b. equally concerned with (1) and (2).
c. less concerned with (1) than with (2).
d. more concerned with (1) than with (2).
67. Service auditors do not issue which of the following types of reports?
challenging a. Report on implemented controls
b b. Report on controls that have been implemented and tested for design effectiveness
c. Report on controls that have been implemented and tested for operating effectiveness
d. Each of the above is issued.

68. The most important output control is:

challenging a. distribution control, which assures that only authorized personnel receive the reports
b generated by the system.
b. review of data for reasonableness by someone who knows what the output should look
like.
c. control totals, which are used to verify that the computer’s results are correct.
d. logic tests, which verify that no mistakes were made in processing.

Essay Questions

69. Briefly define general controls and application controls.

easy
Answer:
General controls are those that relate to all aspects of the IT function. They include
controls related to administration, software acquisition and maintenance, physical and on-
line security, backup and disaster recovery planning, and hardware controls. Application
controls relate to the processing of individual transactions. Application controls are
specific to certain software applications and typically do not affect all IT functions.

70. What are three specific risks to IT systems?

easy
Answer:
Three specific risks to IT systems include risks to hardware and data, a reduced audit trail,
and the need for IT experience and separation of IT duties.

71. Discuss how the integration of IT into accounting systems enhances internal control.
medium
Answer:
Enhancements to internal control resulting from the integration of IT into accounting
systems include:
 Computer controls replace manual controls. Replacing manual procedures with
programmed controls that apply checks and balances to each processed transaction
and that process information consistently can reduce human error that is likely to
occur in traditional manual environments.
 Higher quality information is available. IT systems typically provide management
with more and higher quality information faster than most manual systems.
72 Identify the three categories of application controls, and give one example of each.
medium
Answer:
Application controls fall into three categories:
 Input controls. Key verification and check digits are examples of input controls.
 Processing controls. One example is a reasonableness test for the unit selling price of
a sale.
 Output controls. One example is post-processing review of sales transactions by the
sales department.

73. Discuss what is meant by the term “auditing around the computer.”
medium
Answer:
“Auditing around the computer” occurs when the auditor considers only the non-IT
controls when assessing control risk. Under this approach, the auditor obtains an
understanding of internal control and performs tests of controls, substantive tests of
transactions, and account balance verification procedures in the same manner as in manual
systems. However, there is no attempt to test, or rely on, the client’s IT controls.

74. Discuss the circumstances that must exist for the auditor to “audit around the computer.”
medium
Answer:
To “audit around the computer,” the following conditions must exist:
 The source documents must be available in a form readable by a human.
 The documents must be maintained in a manner that makes it possible to locate them
for auditing purposes.
 The output must be listed in sufficient detail to enable the auditor to trace individual
transactions from the source documents to the output and vice versa.
If any of these conditions does not exist, the auditor will have to rely on computer-oriented
controls.

75. Describe three computer auditing techniques available to the auditor.

medium
Answer:
Computer auditing techniques available to the auditor are:
 Test data approach. Using this approach, the auditor develops different types of
transactions that are processed under his or her own control using the client’s
computer programs on the client’s IT equipment.
 Parallel simulation. Using parallel simulation, the auditor writes a computer program
that replicates some part of the client’s application system. The client’s data is then
processed using the auditor’s computer program. The auditor then compares the
output generated by his or her program with that generated by the client’s program to
test the correctness of the client’s program. Generalized audit software may be used.
 Embedded audit module. Using this approach, the auditor inserts an audit module in
the client’s application system to capture transactions with characteristics that are of
interest to the auditor.
76. What are the two software testing strategies that companies typically use? Which strategy is
medium more expensive?

Answer:
Companies may use pilot testing and parallel testing to test new software. Pilot testing
involves operating the new software at a limited number of facilities, while continuing to
operate the old software at all other locations. Parallel testing involves operating the new
and old software simultaneously. Parallel testing is more expensive than pilot testing.

77. Discuss the advantages and benefits of using generalized audit software.
medium
Answer:
Advantages and benefits of using generalized audit software include:
 they are developed in such a manner that most of the audit staff can be trained to use
the program even if they have little formal IT education.
 a single program can be applied to a wide range of tasks without having to incur the
cost or inconvenience of developing individualized programs.
 generalize audit software can perform tests much faster and in more detail than using
traditional manual procedures.

78. Why do businesses use networks? Describe a local area network and a wide area network.
medium
Answer:
Networks are used to link equipment such as microcomputers, midrange computers,
mainframes, work stations, servers, and printers. A local area network links equipment
within a single or small cluster of buildings and is used only within a company. A wide
area network links equipment in larger geographic regions, including global operations.

79. Discuss the four areas of responsibility under the IT function that should be segregated in large
medium companies.

Answer:
The responsibilities for IT management, systems development, operations, and data
control should be separated:
 IT Management. Oversight of the IT function should be segregated from the systems
development, operations, and data control functions. Oversight of IT should be the
responsibility of the Chief Information Officer or IT manager.
 Systems development. Systems analysts are responsible for the overall design of each
application system. Programmers develop, test, and document applications software.
Programmers and analysts should not have access to input data or computer
operations.
 Operations. Computer operators are responsible for the day-to-day operations of the
computer.
 Data control. Data control personnel independently verify the quality of input and the
reasonableness of output.
80. What types of reports may be issued by a service organization auditor? Which of these is likely
challenging to be used by an auditor performing an audit of a public company?

Answer:
Service organization auditors may issue two types of reports:
 reports on controls that have been implemented, and
 reports on controls that have been implemented and tested for operating effectiveness.

Auditors of a public company would likely use the latter type of report because they have
to provide a report on the internal control over financial reporting.

81. Identify the six categories of general controls and give one example of each.
challenging
Answer:
General controls fall into the following six categories:
 Administration of the IT function. For example, the chief information officer (CIO)
should report to senior management and board of directors.
 Segregation of IT duties. For example, there should be separation of duties between
the computer programmers, operators, and the data control group.
 Systems development. Users, analysts, and programmers develop and test software.
 Physical and online security. For example, passwords should be required for access to
computer systems.
 Backup and contingency planning. Written backup plans should be prepared and
tested on a regular basis throughout the year.
 Hardware controls. For example, uninterruptible power supplies should be used to
avoid loss of data in the event of a power blackout.

Other Objective Answer Format Questions

82. Match eight of the terms (a-n) with the definitions provided below (1-8):
medium
a. Application controls
b. Auditing around the computer
c. Auditing through the computer
d. Error listing
e. General controls
f. Generalized audit software
g. Hardware controls
h. Input controls
i. Output controls
j. Parallel simulation
k. Parallel testing
l. Pilot testing
m. Processing controls
n. Test data approach

k 1. The new and old systems operate simultaneously in all locations.

e 2. Controls that relate to all parts of the IT system.

j 3. Involves the use of a computer program written by the auditor that replicates
some part of a client’s application system.

n 4. A method of auditing IT systems which uses data created by the auditor to

determine whether the client’s computer program can correctly process valid
and invalid transactions.

i 5. Controls such as review of data for reasonableness, designed to assure that

data generated by the computer is valid, accurate, complete, and distributed
only to authorized people.

a 6. Controls that apply to processing of transactions.

l 7. A new system is implemented in one part of the organization while other

locations continue to rely on the old system.

h 8. Controls such as proper authorization of documents, check digits, and

adequate documentation, designed to assure that the information to be
processed by the computer is authorized, complete, and accurate.
83. Inherent risk is often reduced in complex IT systems relative to less complex IT systems.
easy a. True
b b. False

84. Parallel testing is used when old and new systems are operated simultaneously in all locations.
easy a. True
a b. False

85. Firewalls can protect company data and software programs.

easy a. True
a b. False

86. Programmers should not have access to transaction data.

easy a. True
a b. False

87. One potential disadvantage of IT systems is the reduction or elimination of source documents,
easy which reduces the visibility of the audit trail.
a a. True
b. False

88. LANs link equipment within a single or small cluster of buildings and are used only for
easy intracompany purposes.
a a. True
b. False

89. In IT systems, if general controls are effective, it increases the auditor’s ability to rely on
medium application controls to reduce control risk.
a a. True
b. False

90. Parallel testing is more expensive than pilot testing.

medium a. True
a b. False

91. The effectiveness of manual controls depends solely on the competence of the personnel
medium performing the controls.
b a. True
b. False

92. The test data approach requires the auditor to insert an audit module in the client’s application
medium system to test transaction data specifically identified by the auditor as unusual.
b a. True
b. False

93. General controls in smaller companies are usually less effective than in more complex IT
medium environments.
a a. True
b. False

94. (Public) Knowledge of both general and application controls is not particularly crucial for auditors of
medium public companies.
b a. True
b. False

95. Logic tests and completeness tests are examples of general controls.
medium a. True
b b. False

96. When the auditor decides to “audit around the computer,” there is no need to test the client’s IT
medium controls or obtain an understanding of the client’s internal controls related to the IT system.
b a. True
 b. False

97. Auditors normally link controls and deficiencies in general controls to specific transaction-
medium related audit objectives.
b a. True
b. False

98. Output controls focus on detecting errors after processing is completed rather than preventing
medium errors prior to processing.
a a. True
b. False

99. The objective of the computer audit technique known as the test data approach is to determine
medium whether the client’s computer programs can correctly process valid and invalid transactions.
a a. True
b. False

100. Parallel simulation is used primarily to test internal controls over the client’s IT systems,
medium whereas the test data approach is used primarily for substantive testing.
b a. True
b. False

101. Processing controls is a category of application controls.

medium a. True
a b. False

102. Controls that relate to a specific use of the IT system, such as the processing of sales or cash
medium receipts, are called application controls.
a a. True
b. False

103. “Auditing around the computer” is acceptable only if the auditor has access to the client’s data
medium in a machine-readable language.
b a. True
b. False

104. IT controls are classified as either input controls or output controls.

medium a. True
b b. False

105. One common use of generalized audit software is to help the auditor identify weaknesses in the
medium client’s IT control procedures.
b a. True
b. False

106. Tests of controls are normally performed only if the auditor believes the client’s internal control
medium may be effective.
a a. True
b. False

107. “Auditing around the computer” is most appropriate when the client has not maintained detailed
medium output or source documents in a form readable by humans.
b a. True
b. False
108. When auditing a client whose information is processed by an outside service provider, it is not
medium acceptable for the auditor to rely on the audit report of another independent auditor who has
b previously tested the internal controls of the service provider, rather than testing the service
provider’s controls himself or herself.
a. True
b. False

109. When a client uses microcomputers for the accounting functions, the auditor should normally
medium rely only on non-IT controls or take a substantive approach to the audit.
a a. True
b. False